[Help-gnutls] Peer certificates not signed by any CA
Florian Weimer
fweimer at bfk.de
Fri Jun 4 17:10:17 CEST 2010
* Nikos Mavrogiannopoulos:
> On Fri, Jun 4, 2010 at 10:49 AM, Florian Weimer <fweimer at bfk.de> wrote:
>> * Nikos Mavrogiannopoulos:
>>
>>>> May I assume that the first certificate returned by
>>>> gnutls_certifcate_get_peers contains public key material which
>>>> actually corresponds to the private key material which was used to
>>>> establish the ssession?
>>
>>> No. That would be the last certificate in the chain.
>>
>> But the documentation says:
>>
>> Get the peer's raw certificate (chain) as sent by the peer. These
>> certificates are in raw format (DER encoded for X.509). In case of
>> a X.509 then a certificate list may be present. The first
>> certificate in the list is the peer's certificate, following the
>> issuer's certificate, then the issuer's issuer etc.
>> So which one is correct? 8-)
>
> The documentation is correct. Did I really say the thing above? :)
Yes, but that was a long time ago. 8-)
Thanks for the clarification.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Gnutls-help
mailing list